Highlighted

switching from cookie storage to client storage

New Here ,
Jan 03, 2020

Copy link to clipboard

Copied

Recently my app was scanned for vulnerabilities and I was flagged for a few - mostly pertaining to the client variables and the assoicated cookies.  Specifically with a cookie being utilized called CFClient_SMITH (let's just say that my application is called SMITH). My hosting site does not allow session variables, so I must use client variables.  Evidently because there is not client storage set, all of the client varaibles are now being stored in the CFClient_SMITH and are available for the picking.  I am getting nailed for Privilege Escalation, User Impersonation, Forced browsing - just to name a few.

 

I was told that by naming a clientstorage value this would eliminate this issue.  The hosting group told me to use a specific clientstorage value (let's say APPLE) and to set the client cookies to no as shown below:

<cfapplication name="SMITH"

        applicationtimeout="#createTimeSpan(0,4,0,0)#"

        clientmanagement="Yes"

        setclientcookies="No"

        setdomaincookies="yes"

        clientstorage="apple"

        sessionmanagement="No"

        scriptprotect="all"

 

So I thought that was all I needed, but the website worked in IE 11 but not in FireFox and Chrome. 

My question is - is this the correct approach?  And if yes, then I assume that I now need to go back into all of the code and append the cookies to the pages that really need them to be passed to using:

<cfset myEncodedURL=URLSessionFormat("MyActionPage.cfm")>
<cfform method="Post" action="#myEncodedURL#">

 

Any help and guidance you can provide is greatly appreciated!

Libby Hornbostel

TOPICS
Getting started, Server administration

Views

479

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

switching from cookie storage to client storage

New Here ,
Jan 03, 2020

Copy link to clipboard

Copied

Recently my app was scanned for vulnerabilities and I was flagged for a few - mostly pertaining to the client variables and the assoicated cookies.  Specifically with a cookie being utilized called CFClient_SMITH (let's just say that my application is called SMITH). My hosting site does not allow session variables, so I must use client variables.  Evidently because there is not client storage set, all of the client varaibles are now being stored in the CFClient_SMITH and are available for the picking.  I am getting nailed for Privilege Escalation, User Impersonation, Forced browsing - just to name a few.

 

I was told that by naming a clientstorage value this would eliminate this issue.  The hosting group told me to use a specific clientstorage value (let's say APPLE) and to set the client cookies to no as shown below:

<cfapplication name="SMITH"

        applicationtimeout="#createTimeSpan(0,4,0,0)#"

        clientmanagement="Yes"

        setclientcookies="No"

        setdomaincookies="yes"

        clientstorage="apple"

        sessionmanagement="No"

        scriptprotect="all"

 

So I thought that was all I needed, but the website worked in IE 11 but not in FireFox and Chrome. 

My question is - is this the correct approach?  And if yes, then I assume that I now need to go back into all of the code and append the cookies to the pages that really need them to be passed to using:

<cfset myEncodedURL=URLSessionFormat("MyActionPage.cfm")>
<cfform method="Post" action="#myEncodedURL#">

 

Any help and guidance you can provide is greatly appreciated!

Libby Hornbostel

TOPICS
Getting started, Server administration

Views

480

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jan 03, 2020 0
Adobe Community Professional ,
Jan 03, 2020

Copy link to clipboard

Copied

You don't need to use the setclientcookies=no to solve your problem. That's what's making you think you'd have to pass the session id's on each request.

 

And it is NOT  what is causing the colors with all the client variable values. That will be stopped once you use that clientstorage pointing to a db.

 

But do be sure to delete the existing cookies to see the difference take effect. (That's probably why it seemed to "work"on one browser and not another, if the failing ones already had cf cookies set for the app.)

 

Let us know how it goes. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 03, 2020 0
Adobe Community Professional ,
Jan 07, 2020

Copy link to clipboard

Copied

Hi Libby,

 

First off, I agree with Charlie that database storage is your best option. It's either that, or storage in the registry. But this latter option is universally considered to be unacceptable. For one thing, storing ColdFusion client data in the registry can have adverse impact on the Operating System.

 

Assuming apple is a datasource containing tables that are correctly configured for ColdFusion client-variables, then the following settings are sufficient:

 

<cfapplication name="SMITH"

        applicationtimeout="#createTimeSpan(0,4,0,0)#"

        clientmanagement="yes"

        clientstorage="apple"

        setclientcookies="no"

        setdomaincookies="no"

        sessionmanagement="no"

        scriptprotect="all">

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 07, 2020 0
Adobe Community Professional ,
Jan 07, 2020

Copy link to clipboard

Copied

Sure, you still show using setclientcookies=no, which I'd argue we should not. To be clear, that's not what controls whether cf stores client variables IN cookies (the point of the original question). That's the clientstorage attribute.

 

For interested readers, I will repeat that Setclientcookies simply controls whether cf should use cookie to TRACK that a browser is connected to cf with the cfid/cftoken cookies, for use with either cf client or session vars. If you turn it off this way, then you need to pass the cfid/cftoken yourself on every request. That's an old approach from the days when some browsers or orgs did not support ANY cookies. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 07, 2020 0
Adobe Community Professional ,
Jan 08, 2020

Copy link to clipboard

Copied

Just an oversight, Charlie.

Libby, that should in fact read:

<cfapplication name="SMITH"
applicationtimeout="#createTimeSpan(0,4,0,0)#"
clientmanagement="yes"
clientstorage="apple"
setclientcookies="yes"
setdomaincookies="no"
sessionmanagement="no"
scriptprotect="all">

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 08, 2020 0
Contributor ,
Jan 09, 2020

Copy link to clipboard

Copied

Charlie Arehart and BKBK -

Thank you for you help! 

For your comment "do be sure to delete the existing cookies" - I assume that can be accomplished by recycling the CF instance?  Or is there something needed more than that?

 

Thank you again for your help!

 

Libby H

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 09, 2020 0
Adobe Community Professional ,
Jan 09, 2020

Copy link to clipboard

Copied

Nope, I mean in the browser. That's why I said there also that if it worked, it could explain why you experienced different results in different browsers. Each browser has its own cookies for your cf site. 

 

By clearing them in the browser, you cause it to obtain the "right" cookies--for the current configuration in cf, that you have now enabled (per the changes we proposed).

 

As for how to clear them, there are various ways in the different browsers, letting you clear one or all for a given site, or clearing all for all sites (usually overkill). Google can get you the right solution for your browser.

 

Let us know how it goes. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 09, 2020 0
Adobe Community Professional ,
Jan 12, 2020

Copy link to clipboard

Copied

So how did things turn out, Libby? 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 12, 2020 0
BKBK LATEST
Adobe Community Professional ,
Jan 12, 2020

Copy link to clipboard

Copied

Libby, I now see something more.

1) If you're using sub-domains (say, subDomain1.yourDomain.com and subDomain2.yourDomain.com) and you want the client variables to apply to them all, then set

 

setdomaincookies="yes"

 

2) You could delete the old cookies simply by overwriting them with the current values. For example, by using something like this in Application.cfm:

 

<cfparam name="client.isCookieRefreshed" default="false" type="boolean">

<cfif not client.isCookieRefreshed><!--- Refresh cookies --->
	<cfcookie name="CFClient_SMITH" value="new_cookie_value">
        <cfcookie name="cfid" value="#client.cfid#">
	<cfcookie name="cftoken" value="#client.cftoken#">
	
	<!--- Alternatively, where the client variables apply to sub-domains --->
	<!---
	<cfcookie name="CFClient_SMITH" domain=".yourDomain.com" value="new_cookie_value">
        <cfcookie name="cfid" value="#client.cfid#" domain=".yourDomain.com">
	<cfcookie name="cftoken" value="#client.cftoken#" domain=".yourDomain.com">
	--->
	
	<cfset client.isCookieRefreshed = true>
</cfif>

 

 

 

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 12, 2020 0